Tools

"... A digital computer is generally believed to be an efficient universal computing device; that is, it is believed able to simulate any physical computing device with an increase in computation time by at most a polynomial factor. This may not be true when quantum mechanics is taken into consideration. ..."

A digital computer is generally believed to be an efficient universal computing device; that is, it is believed able to simulate any physical computing device with an increase in computation time by at most a polynomial factor. This may not be true when quantum mechanics is taken into consideration. This paper considers factoring integers and finding discrete logarithms, two problems which are generally thought to be hard on a classical computer and which have been used as the basis of several proposed cryptosystems. Efficient randomized algorithms are given for these two problems on a hypothetical quantum computer. These algorithms take a number of steps polynomial in the input size, e.g., the number of digits of the integer to be factored.

...this paper. Two number theory problems which have been studied extensively but for which no polynomial-time algorithms have yet been discovered are finding discrete logarithms and factoring integers [=-=Pomerance 1987-=-, Gordon 1993, Lenstra and Lenstra 1993, Adleman and McCurley 1994]. These problems are so widely believed to be hard that several cryptosystems based on their difficulty have been proposed, including...

"... A computer is generally considered to be a universal computational device; i.e., it is believed able to simulate any physical computational device with a cost in com-putation time of at most a polynomial factol: It is not clear whether this is still true when quantum mechanics is taken into consider ..."

A computer is generally considered to be a universal computational device; i.e., it is believed able to simulate any physical computational device with a cost in com-putation time of at most a polynomial factol: It is not clear whether this is still true when quantum mechanics is taken into consideration. Several researchers, starting with David Deutsch, have developed models for quantum mechanical computers and have investigated their compu-tational properties. This paper gives Las Vegas algorithms for finding discrete logarithms and factoring integers on a quantum computer that take a number of steps which is polynomial in the input size, e.g., the number of digits of the integer to be factored. These two problems are generally considered hard on a classical computer and have been used as the basis of several proposed cryptosystems. (We thus give the first examples of quantum cryptanulysis.)

"... Recently, several algorithms using number field sieves have been given to factor a number n in heuristic expected time Ln[1/3; c], where Ln[v; c] = exp{(c + o(1))(log n) v (log log n) 1−v}, for n → ∞. In this paper we present an algorithm to solve the discrete logarithm problem for GF (p) with heur ..."

Recently, several algorithms using number field sieves have been given to factor a number n in heuristic expected time Ln[1/3; c], where Ln[v; c] = exp{(c + o(1))(log n) v (log log n) 1−v}, for n → ∞. In this paper we present an algorithm to solve the discrete logarithm problem for GF (p) with heuristic expected running time Lp[1/3; 3 2/3]. For numbers of a special form, there is an asymptotically slower but more practical version of the algorithm.

...s a reasonable heuristic assumption that the equations will have full rank, and most discrete logarithm algorithms involve a similar assumption. An exception is the rigorous algorithm of Pomerance in =-=[20]-=-, but we have no version of his Lemma 4.1 which works in this setting. 4 Runtime Analysis We will choose two parameters to optimize the performance: the size of B will be Lp[1/3; δ], and the size of m...

"... Abstract. In this paper we discuss the basic problems of algorithmic algebraic number theory. The emphasis is on aspects that are of interest from a purely mathematical point of view, and practical issues are largely disregarded. We describe what has been done and, more importantly, what remains to ..."

Abstract. In this paper we discuss the basic problems of algorithmic algebraic number theory. The emphasis is on aspects that are of interest from a purely mathematical point of view, and practical issues are largely disregarded. We describe what has been done and, more importantly, what remains to be done in the area. We hope to show that the study of algorithms not only increases our understanding of algebraic number fields but also stimulates our curiosity about them. The discussion is concentrated of three topics: the determination of Galois groups, the determination of the ring of integers of an algebraic number field, and the computation of the group of units and the class group of that ring of integers. 1.

...ities. We refer to [47] for a further discussion. Algorithmic problems relating to the multiplicative group of finite fields, such as the discrete logarithm problem, are generally very difficult, see =-=[53, 57, 41, 27, 60, 51]-=-. 2.9. Number fields. By a number field or an algebraic number field we mean in this paper a field extension K of finite degree of the field Q of rational numbers. For the basic theory of algebraic nu...

"... . In this article we survey recent developments concerning the discrete logarithm problem. Both theoretical and practical results are discussed. We emphasize the case of finite fields, and in particular, recent modifications of the index calculus method, including the number field sieve and the func ..."

. In this article we survey recent developments concerning the discrete logarithm problem. Both theoretical and practical results are discussed. We emphasize the case of finite fields, and in particular, recent modifications of the index calculus method, including the number field sieve and the function field sieve. We also provide a sketch of the some of the cryptographic schemes whose security depends on the intractibility of the discrete logarithm problem. 1 Introduction Let G be a cyclic group generated by an element t. The discrete logarithm problem in G is to compute for any b 2 G the least non-negative integer e such that t e = b. In this case, we write log t b = e. Our purpose, in this paper, is to survey recent work on the discrete logarithm problem. Our approach is twofold. On the one hand, we consider the problem from a purely theoretical perspective. Indeed, the algorithms that have been developed to solve it not only explore the fundamental nature of one of the basic s...

Quantum computers can execute algorithms that dramatically outperform classical computation. As the best-known example, Shor discovered an efficient quantum algorithm for factoring integers, whereas factoring appears to be difficult for classical computers. Understanding what other computational problems can be solved significantly faster using quantum algorithms is one of the major challenges in the theory of quantum

... of x. This is apparently much harder than primality testing, since the smallest currently-known circuit family for this problem is probabilistic and has size O(2 d√ n log n ) (where d is a constant) =-=[36, 41]-=-, which is far from being polynomially-bounded. One of the reasons why quantum algorithms are of interest is that there exists a quantum circuit family of polynomial-size that solves the factoring pro...

"... . We discuss the issue of the parameterized computational complexity of a number of problems of interest in cryptography. We show that the problem of determining whether an n-digit number has a prime divisor less than or equal to n k can be solved in expected time f(k)n 3 by a randomized algo ..."

. We discuss the issue of the parameterized computational complexity of a number of problems of interest in cryptography. We show that the problem of determining whether an n-digit number has a prime divisor less than or equal to n k can be solved in expected time f(k)n 3 by a randomized algorithm that employs elliptic curve factorization techniques (this result depends on an unproved but plausible number-theoretic conjecture). An analogous computational problem concerning discrete logarithms is directly relevant to some proposed cryptosystem implementations. Our result suggests caution about implementations which fix a parameter such as the size or Hamming weight of keys. We show that several parameterized problems of relevance to cryptography, including k-Subset Sum, k-Perfect Code, and k-Subset Product are likely to be intractable with respect to fixed-parameter complexity. In particular, we show that they cannot be solved in time f(k)n ff , where ff is independent...

"... Integer factorization and discrete logarithm calculation are important to public key cryptography. The most efficient known methods for these problems require the solution of large sparse linear systems, modulo two for the factoring case, and modulo large primesfor the logarithm case. This thesis i ..."

Integer factorization and discrete logarithm calculation are important to public key cryptography. The most efficient known methods for these problems require the solution of large sparse linear systems, modulo two for the factoring case, and modulo large primesfor the logarithm case. This thesis is concerned with solving these equations modulo large primes. The methods typically used in this application are examined and compared, and improvements are suggested. A solution method derived from the bi-diagonalization method of Golub and Kahan is developed, and shown to require one-half the storage of the Lanczos method, one-quarter less than the conjugate gradient method, and no more computation than either of these methods. It is expected that this method will become the method of choice for the solution modulo large primes of the equations involved in discrete logarithm calculation. The problem of breakdown for the general case of non-symmetric and possibly singular matrices is considered, and new lookahead methods for orthogonal and conjugate Lanczos algorithms are derived. A unified treatment of the Lanczos algorithms, the conjugate gradient algorithm and the Wiedemann algorithm is given using an orthogonal polynomial approach. It is shown, in particular, that incurable breakdowns can be handled by such an approach. The conjugate gradient algorithm is shown to consist of coupled conjugate and orthogonal Lanczos iterations, linking it to the development given for Lanczos methods. An efficient integrated lookahead method is developed for the conjugate gradient algorithm.

...ter 4 Analysis of Large Prime Variations The large prime variation is very useful in practice for sieve methods used in factorizationand discrete logarithms. While not giving any asymptotic advantage =-=[29]-=-, it is able to speed up these methods by a constant factor, in practice by 2 to 2.5 times [21] for thequadratic sieve factoring method. This speed-up makes the large prime variation an essential comp...